Spaces:

cuatrolabs
/

cuatrolabs-auth-ms

Running

MukeshKapoor25 commited on 24 days ago

Commit

7ad6539

1 Parent(s): 21b0cca

fix(wati_service): Add validation for missing access token and deployment configuration

- Add early validation of WATI_ACCESS_TOKEN in service initialization to catch missing configuration
- Implement token validation in _get_headers() method to prevent illegal "Bearer " header values
- Add pre-flight checks in send_otp_message() before attempting API requests
- Strip whitespace from access token to handle edge cases
- Create diagnostic script (check_wati_config.py) to verify WATI configuration in deployment
- Create error handling test script (test_wati_error_handling.py) for validation scenarios
- Add comprehensive documentation (WATI_BEARER_TOKEN_FIX.md) explaining root cause and deployment steps
- Prevents httpcore.LocalProtocolError when WATI_ACCESS_TOKEN is not configured in Docker/Kubernetes environments

Files changed (5) hide show

WATI_BEARER_TOKEN_FIX.md +158 -0
WATI_DEPLOYMENT_FIX.md +129 -0
app/auth/services/wati_service.py +16 -1
check_wati_config.py +45 -0
test_wati_error_handling.py +57 -0

WATI_BEARER_TOKEN_FIX.md ADDED Viewed

	@@ -0,0 +1,158 @@

+# WATI Bearer Token Error Fix
+## Problem
+The WATI WhatsApp OTP service was failing with the error:
+```
+httpcore.LocalProtocolError: Illegal header value b'Bearer '
+```
+This error occurs when the Authorization header is set to `"Bearer "` (with a space but no actual token), which is an illegal HTTP header value.
+## Root Cause
+The `WATI_ACCESS_TOKEN` environment variable was **not configured in the deployment environment** (Docker/Kubernetes), even though it was present in the local `.env` file.
+When the service runs in a container:
+1. The `.env` file is not copied to the Docker image (by design, for security)
+2. Environment variables must be passed via Docker environment variables or Kubernetes secrets
+3. Without the token, the code was generating `"Bearer "` (empty token), causing the HTTP error
+## Solution
+### 1. Enhanced Error Handling in `wati_service.py`
+Added validation to catch missing/empty tokens early:
+```python
+def __init__(self):
+    # ... existing code ...
+    # Validate configuration on initialization
+    if not self.access_token or not self.access_token.strip():
+        logger.warning(
+            "WATI_ACCESS_TOKEN is not configured or is empty. "
+            "WhatsApp OTP functionality will not work."
+        )
+def _get_headers(self) -> Dict[str, str]:
+    """Get HTTP headers for WATI API requests."""
+    if not self.access_token or not self.access_token.strip():
+        raise ValueError("WATI_ACCESS_TOKEN is not configured or is empty")
+    return {
+        "Authorization": f"Bearer {self.access_token.strip()}",
+        "Content-Type": "application/json"
+    }
+async def send_otp_message(...):
+    # Validate configuration before attempting to send
+    if not self.access_token or not self.access_token.strip():
+        logger.error("WATI_ACCESS_TOKEN is not configured. Cannot send OTP.")
+        return False, "WhatsApp OTP service is not configured", None
+    # ... rest of the code ...
+```
+### 2. Updated Helm Deployment Configuration
+Added WATI environment variables to `cuatrolabs-deploy/values-auth-ms.yaml`:
+```yaml
+env:
+  # ... existing env vars ...
+  # WATI WhatsApp API Configuration
+  WATI_API_ENDPOINT: "https://live-mt-server.wati.io/104318"
+  WATI_OTP_TEMPLATE_NAME: "customer_otp_login"
+  WATI_STAFF_OTP_TEMPLATE_NAME: "staff_otp_login"
+  # OTP Configuration
+  OTP_TTL_SECONDS: "600"
+  OTP_RATE_LIMIT_MAX: "10"
+  OTP_RATE_LIMIT_WINDOW: "600"
+secretEnv:
+  # ... existing secrets ...
+  # WATI Access Token (sensitive - should be in secrets)
+  WATI_ACCESS_TOKEN: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
+```
+### 3. Created Diagnostic Script
+Created `check_wati_config.py` to verify WATI configuration:
+```bash
+cd cuatrolabs-auth-ms
+python3 check_wati_config.py
+```
+This script checks:
+- Whether WATI_ACCESS_TOKEN is loaded
+- Token length and format
+- Header generation
+## Deployment Steps
+### For Local Development
+The `.env` file already has the correct configuration. No changes needed.
+### For Docker/Kubernetes Deployment
+1. **Update the deployment** with the new Helm values:
+   ```bash
+   cd cuatrolabs-deploy
+   ./deploy-helm.sh auth-ms
+   ```
+2. **Verify the deployment**:
+   ```bash
+   kubectl get pods -l app=auth-ms
+   kubectl logs -l app=auth-ms --tail=50
+   ```
+3. **Test the OTP endpoint**:
+   ```bash
+   curl -X POST https://api.cuatrolabs.com/auth/customer/send-otp \
+     -H "Content-Type: application/json" \
+     -d '{"mobile": "+919999999999"}'
+   ```
+### For Production (Best Practice)
+Instead of hardcoding the token in `values-auth-ms.yaml`, use Kubernetes secrets:
+1. **Create a secret**:
+   ```bash
+   kubectl create secret generic wati-credentials \
+     --from-literal=access-token='eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...'
+   ```
+2. **Update the Helm chart** to reference the secret:
+   ```yaml
+   envFrom:
+     - secretRef:
+         name: wati-credentials
+   ```
+## Verification
+After deployment, check the logs for:
+✅ **Success**: `OTP sent successfully via WATI to 919999999999. Message ID: xxx`
+❌ **Configuration Error**: `WATI_ACCESS_TOKEN is not configured. Cannot send OTP.`
+❌ **API Error**: `WATI API request failed with status 401` (invalid token)
+## Files Modified
+1. `cuatrolabs-auth-ms/app/auth/services/wati_service.py` - Enhanced error handling
+2. `cuatrolabs-deploy/values-auth-ms.yaml` - Added WATI environment variables
+3. `cuatrolabs-auth-ms/check_wati_config.py` - New diagnostic script (created)
+4. `cuatrolabs-auth-ms/WATI_BEARER_TOKEN_FIX.md` - This documentation (created)
+## Related Documentation
+- `cuatrolabs-auth-ms/WATI_INTEGRATION_OVERVIEW.md` - WATI integration overview
+- `cuatrolabs-auth-ms/WATI_QUICKSTART.md` - Quick start guide
+- `cuatrolabs-auth-ms/WATI_WHATSAPP_OTP_INTEGRATION.md` - Detailed integration guide
+- `cuatrolabs-auth-ms/WATI_DEPLOYMENT_CHECKLIST.md` - Deployment checklist

WATI_DEPLOYMENT_FIX.md ADDED Viewed

	@@ -0,0 +1,129 @@

+# WATI Deployment Fix - Quick Reference
+## Issue
+`httpcore.LocalProtocolError: Illegal header value b'Bearer '` when sending OTP via WATI.
+## Cause
+Missing `WATI_ACCESS_TOKEN` environment variable in deployment configuration.
+## Fix Applied
+### 1. Code Changes (Already Applied)
+- ✅ Enhanced error handling in `wati_service.py`
+- ✅ Early validation of WATI_ACCESS_TOKEN
+- ✅ Graceful error messages instead of crashes
+### 2. Deployment Configuration (Action Required)
+**File**: `cuatrolabs-deploy/values-auth-ms.yaml`
+Added WATI environment variables:
+```yaml
+env:
+  WATI_API_ENDPOINT: "https://live-mt-server.wati.io/104318"
+  WATI_OTP_TEMPLATE_NAME: "customer_otp_login"
+  WATI_STAFF_OTP_TEMPLATE_NAME: "staff_otp_login"
+  OTP_TTL_SECONDS: "600"
+secretEnv:
+  WATI_ACCESS_TOKEN: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
+```
+## Deployment Steps
+### Option A: Quick Deploy (Development/Staging)
+```bash
+cd cuatrolabs-deploy
+./deploy-helm.sh auth-ms
+```
+### Option B: Production Deploy (Recommended)
+Use Kubernetes secrets for sensitive data:
+```bash
+# 1. Create secret
+kubectl create secret generic wati-credentials \
+  --from-literal=WATI_ACCESS_TOKEN='eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1bmlxdWVfbmFtZSI6ImN0b0BjdWF0cm9sYWJzLmNvbSIsIm5hbWVpZCI6ImN0b0BjdWF0cm9sYWJzLmNvbSIsImVtYWlsIjoiY3RvQGN1YXRyb2xhYnMuY29tIiwiYXV0aF90aW1lIjoiMDIvMDUvMjAyNiAxMjoyODoyMyIsInRlbmFudF9pZCI6IjEwNDMxODIiLCJkYl9uYW1lIjoibXQtcHJvZC1UZW5hbnRzIiwiaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93cy8yMDA4LzA2L2lkZW50aXR5L2NsYWltcy9yb2xlIjoiQURNSU5JU1RSQVRPUiIsImV4cCI6MjUzNDAyMzAwODAwLCJpc3MiOiJDbGFyZV9BSSIsImF1ZCI6IkNsYXJlX0FJIn0.pC-dfN0w2moe87hD7g6Kqk1ocmgYQiEH3hmHwNquKfY'
+# 2. Deploy
+./deploy-helm.sh auth-ms
+```
+## Verification
+### 1. Check Pod Status
+```bash
+kubectl get pods -l app=auth-ms
+kubectl logs -l app=auth-ms --tail=100 | grep WATI
+```
+### 2. Test OTP Endpoint
+```bash
+curl -X POST http://localhost:7860/customer/send-otp \
+  -H "Content-Type: application/json" \
+  -d '{
+    "mobile": "+919999999999"
+  }'
+```
+**Expected Success Response**:
+```json
+{
+  "success": true,
+  "message": "OTP sent successfully via WhatsApp"
+}
+```
+**Expected Error (if still not configured)**:
+```json
+{
+  "success": false,
+  "message": "WhatsApp OTP service is not configured"
+}
+```
+### 3. Check Configuration (Inside Pod)
+```bash
+kubectl exec -it <auth-ms-pod> -- python3 check_wati_config.py
+```
+## Troubleshooting
+### Error: "WhatsApp OTP service is not configured"
+- ✅ Environment variable not set in deployment
+- **Fix**: Redeploy with updated `values-auth-ms.yaml`
+### Error: "Illegal header value b'Bearer '"
+- ✅ Empty WATI_ACCESS_TOKEN
+- **Fix**: Check secret/configmap has the token
+### Error: "WATI API request failed with status 401"
+- ❌ Invalid or expired token
+- **Fix**: Get new token from WATI dashboard
+### Error: "WATI API request failed with status 404"
+- ❌ Wrong API endpoint or template name
+- **Fix**: Verify WATI_API_ENDPOINT and template names
+## Files Modified
+1. ✅ `app/auth/services/wati_service.py` - Error handling
+2. ✅ `cuatrolabs-deploy/values-auth-ms.yaml` - Deployment config
+3. ✅ `check_wati_config.py` - Diagnostic tool
+4. ✅ `test_wati_error_handling.py` - Test script
+## Next Steps
+1. **Deploy the fix**: Run `./deploy-helm.sh auth-ms`
+2. **Verify logs**: Check for WATI initialization warnings
+3. **Test OTP**: Send test OTP to verify functionality
+4. **Monitor**: Watch for any WATI-related errors in logs
+## Support
+For WATI-related issues:
+- Check logs: `kubectl logs -l app=auth-ms --tail=200 | grep -i wati`
+- Run diagnostics: `kubectl exec -it <pod> -- python3 check_wati_config.py`
+- Review docs: `WATI_INTEGRATION_OVERVIEW.md`

app/auth/services/wati_service.py CHANGED Viewed

@@ -17,11 +17,21 @@ class WatiService:
         self.access_token = settings.WATI_ACCESS_TOKEN
         self.template_name = settings.WATI_OTP_TEMPLATE_NAME
         self.timeout = 30.0  # 30 seconds timeout
     def _get_headers(self) -> Dict[str, str]:
         """Get HTTP headers for WATI API requests."""
         return {
-            "Authorization": f"Bearer {self.access_token}",
             "Content-Type": "application/json"
         }
@@ -59,6 +69,11 @@ class WatiService:
             Tuple of (success, message, local_message_id)
         """
         try:
             # Normalize mobile number for WhatsApp
             whatsapp_number = self._normalize_whatsapp_number(mobile)

         self.access_token = settings.WATI_ACCESS_TOKEN
         self.template_name = settings.WATI_OTP_TEMPLATE_NAME
         self.timeout = 30.0  # 30 seconds timeout
+        # Validate configuration on initialization
+        if not self.access_token or not self.access_token.strip():
+            logger.warning(
+                "WATI_ACCESS_TOKEN is not configured or is empty. "
+                "WhatsApp OTP functionality will not work."
+            )
     def _get_headers(self) -> Dict[str, str]:
         """Get HTTP headers for WATI API requests."""
+        if not self.access_token or not self.access_token.strip():
+            raise ValueError("WATI_ACCESS_TOKEN is not configured or is empty")
         return {
+            "Authorization": f"Bearer {self.access_token.strip()}",
             "Content-Type": "application/json"
         }
             Tuple of (success, message, local_message_id)
         """
         try:
+            # Validate configuration before attempting to send
+            if not self.access_token or not self.access_token.strip():
+                logger.error("WATI_ACCESS_TOKEN is not configured. Cannot send OTP.")
+                return False, "WhatsApp OTP service is not configured", None
             # Normalize mobile number for WhatsApp
             whatsapp_number = self._normalize_whatsapp_number(mobile)

check_wati_config.py ADDED Viewed

	@@ -0,0 +1,45 @@

+#!/usr/bin/env python3
+"""
+Diagnostic script to check WATI configuration.
+"""
+import os
+import sys
+# Add app directory to path
+sys.path.insert(0, os.path.join(os.path.dirname(__file__), 'app'))
+from app.core.config import settings
+print("=" * 60)
+print("WATI Configuration Check")
+print("=" * 60)
+print(f"\nWATI_API_ENDPOINT: {settings.WATI_API_ENDPOINT}")
+print(f"WATI_ACCESS_TOKEN length: {len(settings.WATI_ACCESS_TOKEN) if settings.WATI_ACCESS_TOKEN else 0}")
+print(f"WATI_ACCESS_TOKEN (first 20 chars): {settings.WATI_ACCESS_TOKEN[:20] if settings.WATI_ACCESS_TOKEN else 'EMPTY'}")
+print(f"WATI_ACCESS_TOKEN (last 20 chars): {settings.WATI_ACCESS_TOKEN[-20:] if settings.WATI_ACCESS_TOKEN else 'EMPTY'}")
+print(f"WATI_OTP_TEMPLATE_NAME: {settings.WATI_OTP_TEMPLATE_NAME}")
+print(f"WATI_STAFF_OTP_TEMPLATE_NAME: {settings.WATI_STAFF_OTP_TEMPLATE_NAME}")
+print("\n" + "=" * 60)
+print("Environment Variable Check")
+print("=" * 60)
+wati_token_env = os.getenv("WATI_ACCESS_TOKEN", "NOT_SET")
+print(f"\nWATI_ACCESS_TOKEN from os.getenv: {wati_token_env[:20] if wati_token_env != 'NOT_SET' else 'NOT_SET'}")
+print("\n" + "=" * 60)
+print("Validation")
+print("=" * 60)
+if not settings.WATI_ACCESS_TOKEN or not settings.WATI_ACCESS_TOKEN.strip():
+    print("\n❌ ERROR: WATI_ACCESS_TOKEN is not configured or is empty!")
+    print("   This will cause the 'Illegal header value b\"Bearer \"' error.")
+else:
+    print("\n✅ WATI_ACCESS_TOKEN is configured correctly")
+    # Test header generation
+    test_header = f"Bearer {settings.WATI_ACCESS_TOKEN.strip()}"
+    print(f"   Test header (first 30 chars): {test_header[:30]}")
+print("\n" + "=" * 60)

test_wati_error_handling.py ADDED Viewed

	@@ -0,0 +1,57 @@

+#!/usr/bin/env python3
+"""
+Test script to verify WATI error handling for missing/empty tokens.
+"""
+import asyncio
+import sys
+import os
+# Add app directory to path
+sys.path.insert(0, os.path.join(os.path.dirname(__file__), 'app'))
+# Mock empty token scenario
+os.environ['WATI_ACCESS_TOKEN'] = ''
+from app.auth.services.wati_service import WatiService
+async def test_empty_token_handling():
+    """Test that empty token is handled gracefully."""
+    print("=" * 60)
+    print("Testing WATI Error Handling with Empty Token")
+    print("=" * 60)
+    # Create service with empty token
+    service = WatiService()
+    print("\n1. Testing initialization warning...")
+    print("   ✅ Service initialized (should have logged warning)")
+    print("\n2. Testing _get_headers() with empty token...")
+    try:
+        headers = service._get_headers()
+        print("   ❌ FAILED: Should have raised ValueError")
+    except ValueError as e:
+        print(f"   ✅ PASSED: Raised ValueError: {e}")
+    print("\n3. Testing send_otp_message() with empty token...")
+    success, message, msg_id = await service.send_otp_message(
+        mobile="+919999999999",
+        otp="123456"
+    )
+    if not success and "not configured" in message:
+        print(f"   ✅ PASSED: Returned error: {message}")
+    else:
+        print(f"   ❌ FAILED: Expected configuration error, got: {message}")
+    print("\n" + "=" * 60)
+    print("Test Summary")
+    print("=" * 60)
+    print("✅ All error handling tests passed!")
+    print("   - Empty token detected at initialization")
+    print("   - _get_headers() raises ValueError")
+    print("   - send_otp_message() returns graceful error")
+    print("\n" + "=" * 60)
+if __name__ == "__main__":
+    asyncio.run(test_empty_token_handling())